Links

Sunday, September 30, 2007

thanks to a pretty good uh-oh on the framework list I got an ecopy of the new book. I'm only thru chapter 3 which really contained nothing not already out there. some of the other chapters look a bit more promising. For example you build a voip aux module (of course MC already got his working in like 5 minutes ) then you go into some case studies. two initial gripes are 1) the warez is old, out of 5 case studies i found the software for only 2 of them. A case study is worthless if you cant do it yourself (but they dont do warFTP which is good). 2) is that the exploits are written for the 2.x branch. Anyone that keeps up with MSF knows that 2.x is dead, so it certainly takes down from the value of the book for the examples to be in 2.x it wouldn't have been to hard to port them and make the book much more current.

again, this isnt the review i'm only thru chapter 3, just some initial thoughts. when i do the review i'll probably have to tackle it from two view points. 1) from someone who doesnt know anything at all about metasploit and 2) from someone who has been using the MSF for awhile. we'll see how that goes...

Saturday, September 22, 2007

I have a ton of those red covered books on the book shelf. The Hacking Exposed series has been good to me and good to every person trying to learn security. So, I was excited to have my new green covered Hacking Exposed Wireless book show up at the house so I could learn some wireless hacking. The first 60 pages or so of background technical content is interesting but not totally necessary to get going with the topic. I do realize to be a good "hacker" you need to understand the technology, but the other HE's have been able to balance giving us the background and still able to use the tools for some hacking action.

I felt that once we finally got into the technical content (starts with 802.11 discovery) that they talked around topics but really didn't cover how to actually "do" anything. There isn't much to running kismet after configuring the one or two lines of the conf file. Then its a simple #kismet or $sudo kismet and it runs. Netstumbler is even easier since you have GUI to help you out and its on Windows and same same with KisMAC on OS X.

The cracking WEP section starts out with saying use an old kernel and the madwifi-old drivers. That may have been great advice when the book was published but it is certainly not useful for the average user today especially since it appears the bugs have been worked out of the new madwifi driver and aircrack-ng. (We do have to take into account that I read the book in Sep 07 and it was published in March 07). The section on using aircrack to break WEP on linux on pages 180-182 was decent but certainly not anything you cant get on the aircrack-ng homepage. A little more content on how we do fake authentication attempts and then why and how we have aireplay send our ARP packets would have been nice. The current version of aireplay when you run that capture makes you pick which capture we want to use, since they don't cover what packet to use it may be difficult for the person following along. The shell of the instructions are there, but the details are missing.

The opportunity to shine by talking about the Fragmentation and ChopChop attacks is devoid of actually using aircrack-ng or other tools to launch the attacks, so it falls short.

The Hacking Hotspots section (CH 9) looked to be the redeeming section at first glance but much like the WEP cracking section is lacking any useful screenshots or how to use any of the tools they mention. The most frustrating part was the author telling us how they have a slick SSH set up to use public hotspots but provides no information on how to set up one of our own. The tunneling using ozymanDNS attack gives no useful information on how to use the tool, the billing attacks section gives no useful information either. While I understand its illegal to steal wifi, if you aren't going to actually cover it, don't bother talking all around it. The client attack section consisted of installing nmap and nessus and running it against clients on the LAN. That section was the perfect set up to really cover KARMA in-depth, sadly a missed opportunity.

The bluetooth section (CH 10) that looks to be written by Kevin Finisterre was excellent and met the high standards previous HE books set. He walks us through a fictional scenario with real code and explains how we can use the code to exploit bluetooth vulnerabilities on OSX and gives us the link to the code :-)

Overall I was disappointed in the book which is unfortunate because the authors are known to be very knowledgeable and skilled people in the security industry. It can be a good reference on wifi background and hardware if you need one but it falls a bit short IMO of being as useful as some of the other HE titles.

I'm not sure what I can write to sway you to buy or read the book if 5 star reviews from Ben Rothke and Richard Bejtlich don't sway you but I'll throw my likes and dislikes in here anyway. I'm not a "metrics guy" in fact, I'm still not , but I do think the book puts the concept of using them into perspective for the person that may not use any metrics in their security work.

I've been summing up the book to people at work by using the example (and I'll badly paraphrase) from the book of "if your spam gateway blocks 100,000 spam messages a day is that a good metric?" Initially you may say yes, that is a good metric. In fact most people at work said the same thing. But, as the author explains it is a poor metric. Better metrics are useful percentages like the percentage of missed spam or the percentage of false positives. Saying that 100,000 spam message are being stopped only tells us that you have a ton of spam on your network.

Some of the things I liked about the book were the author's discussions on how to make charts more readable and efficient at portraying information. I had to read the Tufte books in college and have to admit that I got more out of chapter 6 (visualization) than I feel I learned that whole semester of class. Chapter 2 discussing what makes good metrics was extremely useful, as well were chapters 3 & 4 because they gave good examples of metrics you can use to measure an organizations various defenses like perimeter security or application security. The discussion of using COBIT, ITIL and Security Frameworks in Chapter 4 was also good.

I only had two minor gripes. First was that toward the end of the book the author talks about colors of slides and charts which obviously doesn't do us any good since the book is in black and white and second, that he does use some big words throughout the book and I did find myself having to go back and reread things. Could he have put it into simpler terms, probably, but that doesn't make the book bad, just means I need to work on my vocab :-)

Overall it was a good entrance to the world of security metrics for me and took and away some of the perceived boredom of them. It definitely gave me some tools to look more critically at the numbers and stats that some of the vendors throw our way as well as how to deliver data and information in a more useful matter.

then lets use sqlcmd to see if we can get a command shell on the box. sqlcmd uses the xp_cmdshell to execute commands.cg@segfault:~/evil/db$ ./sqlcmd A.B.X.28:1433connected to host A.B.X.28:1433 as user sa!exit with CTRL+C

Thursday, September 6, 2007

ok, got it figured out (yes Dean told me to change the port yesterday). if you were following along and just want the quick answer, its that you have to change the default port number (which is 4444) to something else for that 2nd shell. 4444 is tied up on your pivot host with your meterpreter session, so that makes sense....

let see it:

get your shell, see the internal network, add the route thru your meterpreter session, no change from yesterday :-)

so I'm working on chicagon slides and looking for a fun demo, Dean and I were talking about being able to pivot or relay through the victim into the internal network. i said i didnt think you could do it (he said you can)...the answer... you can. yeah i lost the bet :-)http://www.metasploit.com/archive/framework/msg02580.html

ok so you can see that we should be routing traffic thru there. now i tried to ping the host (which is 172.16.0.100) in this case and that didnt work, i also couldnt get any of the scanner auxiliary modules to actually scan and find anything (on either network) which is a bummer.

but i did get the smb scanner auxillary module to work and give me back the correct answer, so i know its working and passing data.

Monday, September 3, 2007

So I apologize to my handful of readers for a lack of an update this week. I've been in Northern VA doing some interviewing for jobs.

I thought I would have some wicked fun blog posts on the tech questions I got asked, but I really didn't field too many. most of those were on the phone or maybe my background just spoke that I could learn anything I needed to learn. Either way, I'll hold off on blog posts about the interviews until I actually get any job offers.